cicnavi
commented
2 weeks ago @pradtke Can you please check your access logs if anyone actually used this? I couldn't find any...
Open cicnavi opened 2 weeks ago
cicnavi
commented
2 weeks ago @pradtke Can you please check your access logs if anyone actually used this? I couldn't find any...
pradtke
commented
2 weeks ago I don't quite understand. Are you asking if we have any implicit flow usage, or if we have implicit flow usage that only requests token in the response_type (rather than requesting both id_token and token)? We have a very tiny amount of implicit usage that requests response_type=id_token%20token (I believe that is the required ones per the implicit spec).
Most browser apps use PKCE.
cicnavi
commented
2 weeks ago I was only interested in response_type=token (OAuth2 implicit flow). I'm not interested in OIDC implicit flow, I won't touch that. So, there is no such cases, which is quite reasonable. I will probably go ahead and drop support for that when I get the chance...
pradtke
commented
2 weeks ago Ah, right I understand now. My brain autocorrected OAuth2 to OIDC :) We have no such usage, and dropping it sounds good.
In the codebase we have OAuth2 Implicit Grant (src/Server/Grants/OAuth2ImplicitGrant.php), which is triggered by 'response_type' = 'token' param request on authorization endpoint.
This is not OIDC standard flow and there is low probability that anyone ever used it. It also brings some code branching which could be avoided if this flow can be dropped.